This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Remove From My Forums

NPS Proxy - proxy Machine Auth requests?

Question
0

Sign in to vote

We have separate wireless SSID pointing to NPS servers on separate domains. They presently handle both user auth (BYOD) and machine auth (official win laptops) requests. We would like to bring this into one SSID for wireless efficiency.

In a test environment, I have added a NPS proxy - and I'm successful in forwarding the user authentication without issue.

Connection Request Policy #1 condition Condition = User Name value = ^domain1\\ match "domain1\samaccountname"
Connection Request Policy #2 condition Condition = User Name value = ^domain2\\ match "domain2\samaccountname"
- or value = ^domain1\\|@domain1\.org$ match "domain1\samaccountname" -or- "samaccountname@domain1.org"

I need a Policy #3 @ 4 to detect any machine auth request and forward to the appropriate domain NPS.

Question: Can you proxy machine auth?
- Microsoft Docs - Connection Request Policies states "The Machine Identity attribute group contains the Machine Identity attribute. With this attribute, you can specify the method with which clients are identified in the policy. - This might suggest you can?

- however, there isn't a CRP condition for machine name, just user name, which might suggest you can't.

It looks like the request passes the identity of "host/hostname.domain1.org" - I see this in the log entries. I've tried to make a pattern match for the user name condition for this string without success. Microsoft Docs "Using Pattern-Matching Syntax in NPS" is confusing, in ways contradictory, and examples I'm using have some syntax that don't appear to be in the document (like | ).

Thursday, May 9, 2019 2:49 PM

All replies

0

Sign in to vote

Hi,

I would suggest you use calling station ID condition.

You can enter the list of MAC address and put a Pipe/Logical OR (|) and put the another MAC enclosed between ^ and $.

Please refer to the link below:

https://blogs.technet.microsoft.com/teamdhcp/2008/06/15/nap-enforcement-exemption-for-printers-and-other-network-appliances/

Best regards,

Travis
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

Friday, May 10, 2019 5:10 AM
0

Sign in to vote

Thanks Travis.

In a way got this to work (matched and forwarded). For some reason the article suggested ^ and $ formatting would not work, I had success with the full MAC address only. However, using MAC addresses would be difficult given the hundreds of clients we have - the 256 character limit (though perhaps it's 256 per rule, and one could have multiple rules).

Thanks for the info...

Friday, May 10, 2019 1:30 PM
0

Sign in to vote

I would imagine I just need to get the matching correct.

I can successfully match account name data (NPS log):

<User-Name data_type="1">domain1\username</User-Name> using ^domain1\\

Like wise, in the NPS log, machines have the following in account name:

<User-Name data_type="1">host/pc035.domain1.org</User-Name>

Friday, May 10, 2019 1:52 PM
0

Sign in to vote
Success, I'll detailed if anyone is interested, and might offer improvement.

Using User Name condition:

CRP Rule 1 - ^domain1\\|@domain1\.org$ matches "domain1\samusername" or samusers@domain1.org

CRP Rule 2 - ^domain2\\|@domain2\.org$ matches "domain2\samusername" or samusers@domain2.org

CRP Rule 3 - .domain1.org$ matches "host/pc123.domain1.org" -windows machine identity

CRP Rule 4 - .domain2.org$ matches "host/pc123.domain2.org" -windows machine identity

I would love a matching rule that included a check of the "host/" portion to further deliniate a PC vs. a user, but the "." vs "@" will work
- Proposed as answer by Travis HuangMicrosoft contingent staff Monday, May 13, 2019 9:13 AM
Friday, May 10, 2019 3:27 PM
0

Sign in to vote

Hi,

I am glad to hear that your issue was successfully resolved.

In addition, thanks for sharing your solution in the forum as it would be helpful to anyone who encounters similar issues.

If there is anything else we can do for you, please feel free to post in the forum.

Best regards,

Travis

Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

Monday, May 13, 2019 9:13 AM